In-Depth

Attackers Shift Exploits to Applications

The 2005 SANS Top 20 list of the worst vulnerabilities finds attackers deserting operating system vulnerabilities, for flaws in applications and network devices.

• By Mathew Schwartz
• 12/06/2005

A major shift in Internet attacks is underway. “For five years, the majority of attacks targeted operating systems like Unix and Windows, and Internet services like Web servers and mail systems,” notes a new study from SANS, a computer security education and information security training firm based in Bethesda, Md.

As of 2005, however, the latest vulnerability research finds attackers now favoring application attacks over OS attacks. At special risk are backup, recovery, antivirus, and a variety of other security tools—the very tools companies “think are keeping them safe from attacks and from loss of data,” says SANS. Yet “many of those systems have been shown to have critical vulnerabilities.”

These findings are just some of the highlights of the 2005 edition of the SANS Top 20, an annual list of the 20 most critical Internet security vulnerabilities as determined by leading security experts. The guide helps information security managers know which vulnerabilities are the worst so they can be patched first.

New Attack Patterns Emerge

Substantial research backs up SANS’ assertions. For example, Rohit Dhamankar, the lead security architect of 3Com’s TippingPoint division, notes that “we are seeing a trend to exploit not only Windows but other vendors’ programs installed on large numbers of systems.” The trend includes attacks directed at “backup software, antivirus software, database software, and even media players.”

Indeed, attackers often target the vulnerabilities that most easily allow them to subvert a PC, and “we are finding significant numbers of vulnerabilities in popular applications,” says Gerhard Eschelbeck, chief technology officer of Qualys, which conducts “weekly vulnerability scans, covering millions of computer systems in more than 20 countries.”

To take that into account, the latest top 20 now includes sections for cross-platform applications, detailing vulnerabilities for everything from antivirus and PHP-based applications to instant messaging applications and Mozilla and Firefox browsers.

Another new section covers network-device vulnerabilities, grouping them by Cisco Internetwork Operating System (IOS)—Cisco’s standard router and switch OS—and non-IOS products; Juniper, CheckPoint, and Symantec products; plus configuration weaknesses in Cisco devices.

Why single out these devices? As SANS notes, “network devices often have on-board operating systems and can be programmed just like computers.” Furthermore, “compromises of network devices can provide attackers with one of the most fruitful platforms for eavesdropping and launching targeted attacks,” since many organizations aren’t aware of (or else ignore) the threat posed by vulnerabilities in network devices.

As with all vulnerabilities, the time between public disclosure of application and network device vulnerabilities and the attacks designed to exploit them continues to decrease, notes Jerry Dixon, the director of US-CERT. For example, “US-CERT has received reports of important system compromises using vulnerabilities in backup products within a few days of the public disclosure of vulnerabilities in those products.”

The potential for damage from application and network device exploits can be substantial, says 3Com’s Dhamankar. “Flaws in these programs put critical national and corporate resources at risk, and have the potential to compromise the entire network.”

New Top 20 Drops Older Threats

Beyond specifically detailing new types of vulnerabilities, the annual edition of the top 20 features another notable change: it eschews the previous, cumulative approach of listing all top vulnerabilities, no matter how old. Now, the top 20 will only include vulnerabilities from approximately the past 18 months. For organizations that haven’t patched their systems in some time, SANS recommends they first master the list of top 20 vulnerabilities from 2004.

Related Articles:

SANS Top Vulnerability List Gets Quarterly Updates
http://www.esj.com/Security/article.aspx?EditorialsID=1380

Q&A: Security Best Practices Include Automated Remediation
http://www.esj.com/Security/article.aspx?EditorialsID=1348